[Bug 1082] Hard lockup when inserting nft rules (esp. ct rule)

Thu Aug 18 03:44:29 CEST 2016

https://bugzilla.netfilter.org/show_bug.cgi?id=1082

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Wang Jian from comment #0)
[...]
> The ruleset is loaded without problem before we begin to transit vpn links.
> After we transit all links, we want to update the ruleset to add a new open
> IP. But loading the modified ruleset causes this machine hard lockup
> immediately. 

What do you mean by loading the "modified ruleset"? So as soon as you invoke
some specific command you experience problems?

> After quick pinpoints, we are sure:
> 
> 1. The unmodified ruleset can cause lockup too
> 2. The lockup is caused by the last "ct state" rule (if commented, no lockup)

This is confusing.

Now you say that the lockup only happens if the last rule using 'reject' is
there?

> We move most of vpn links to a backup server after work time, which has the
> same hardware and software. Loading ruleset in this backup server doesn't
> cause hard lockup. Loading ruleset in the aforementioned now unloaded server
> doesn't cause hard lockup, either.

I'm getting confused here. So the backup server does not experience any problem
at all with this ruleset?

> We are sure:
> 
> 3. Certain traffic load is a factor for the hard lockup

Please provide more specific information to make sure this is a bug in
nftables, such as backtraces.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160818/45ac4e3e/attachment.html>